Running head: SECURITY DEPLOYMENT PLAN

SECURITY DEPLOYMENT PLAN

Hal Hagood
u04a1

SECURITY DEPLOYMENT PLAN

Deploying a modern WAN architecture requires planning and additional network capabilities to
support higher bandwidth and critical applications. Enterprises rely on private WAN connections such as
Frame Relay, ATM, or leased-line services to connect the various parts of their businesses. When
deploying a traditional Frame Relay or ATM-based private WAN, network operations must implement
point-to-point or hub-and-spoke architectures. This makes provisioning and management of moves or
changes on the network more complex. There is s trade off too, the operational expense for a private
WAN can sometimes be higher than IP-based WAN technologies. The goal is to have reliable connectivity
that is secure, can be easily updated, and can scale to meet evolving business needs. This is the
challenge at GreenTree Financial.
This goal here is to evaluate the securing of an enterprise WAN edge network as it pertains to the
Cisco enterprise WAN and MAN architectures and the proposed GreenTree Financial network.
To provide reliable connectivity to the enterprise while reducing operational expenses, and
becoming more resilient, enabling some of the latest network services are recommended:
Encrypted private connectivityTakes advantage of existing traditional private WAN and MAN
connections
Encrypted ISP serviceTakes advantage of the ubiquity of public and private IP networks to
provide secure connectivity
IP VPN (service provider-managed MPLS)Delivers Layer 2 and Layer 3 VPNs
Self-deployed MPLSProvides any-to-any connectivity
These architecture selected for GreenTree helps increase network scalability and flexibility and
focuses on the enterprise WAN network. The enterprise WAN edge is defined as the set of networking
devices that aggregate traffic from enterprise branch offices, and pass that traffic to the enterprise
campus or data center.
Regardless of which enterprise WAN/MAN architecture is chosen, it is crucial to guarantee the
devices and traffic residing at the WAN edge. This design guide examines typical WAN edge speeds,

SECURITY DEPLOYMENT PLAN

OC3 (155 Mbps) and OC12 (622 Mbps), and establishes profiles for each WAN speed. These profiles are
not intended to be the only recommended design architectures for the WAN edge. They are meant to
show examples based on the majority of enterprise WAN edge architectures available today. Each profile
provides guidelines for securing the WAN edge including infrastructure protection mechanisms, network
fundamentals such as routing and high availability, and, finally, the security services needed to protect
against threats to the WAN edge (Cisco, 2014).
The basic components for GreenTrees proposed network are as follows: WAN aggregation,
crypto aggregation, tunnel interface, and routing protocol functionality components can reside in a single
chassis or multiple chassis, depending on the WAN and MAN architecture chosen.

(Cisco, 2014)

The profile for GreenTree uses a dedicated WAN router and the following service configurations.

The crypto aggregation router and the WAN router are GigE connected.
The crypto aggregation router does not do QoS or Scavenger Class QoS, but rather the WAN
router does instead.

SECURITY DEPLOYMENT PLAN

The crypto aggregation router needs to NAT the syslog server and TACACS server ports to
ports on the crypto peer address to make sure that only the LAN side of the WAN router can
access those ports (using a new ACL named Protect-syslog-AAA on the GigE interface to the
WAN router).
The crypto aggregation router is the NTP clock source for the WAN router.
The mGRE tunnel interface on the crypto aggregation system is sourced from the outside LAN
interface (gi0/3 in the example).
The crypto aggregation router needs to add a network statement for OSPF area 1 for the Gi0/3
LAN
on the respective connected crypto aggregation system. This is so that the WAN router interface
IP address has a network path back from the AAA and syslog servers in the core.
The WAN router uses the outer barrier and the iACL (the example uses the ACL named
InfraProt)
The WAN router performs the QoS and Scavenger Class QoS.
The WAN router accesses the super-log syslog server via the NAT-ed port on the crypto
aggregation router.
The WAN router accesses the AAA server via the NAT-ed port on the crypto aggregation router.
The WAN router CoPP policy does not need to include VPN or IGP classes because those
particular items do not terminate on the WAN router.
The inner barrier firewall (ASA 5540) must add some rules to the ACL to allow the LAN IP of the
WAN router to access the internal AAA server and internal syslog super-log server in the core.

(Cisco, 2014)

SECURITY DEPLOYMENT PLAN

The rational and configuration for these devices and services explains the solution for designing
this security deployment. WAN aggregation refers to a level load balancing router, It is assumed that the
service provider implements a QoS service policy that is coordinated with the requirements of the
enterprise customer. The service provider is expected to enable QoS on the WAN links to the branch
offices as well.
The use of a hardware crypto accelerator is a requirement to gain voice quality over a VPN
topology. Cisco strongly recommends that you implement hardware accelerators at both the crypto
aggregation systems and also all connecting branches. The ISR branch routers have built-in crypto
accelerators as a default on the motherboards, or can alternately use add-on cards for crypto hardware
acceleration (Cisco, 2014).
Tunnel Interfaces are Firewall interfaces that define end-points for tunnels in the Route-Based
VPN. Any traffic that is routed to a Tunnel Interface and allowed by the Firewall Access rules is sent into
the tunnel.
You can optionally add IPv4 and/or IPv6 addresses to a Tunnel Interface. Tunnel Interfaces can
only have static IP addresses. Adding an IP address allows you to define the source IP address of traffic
sent from the engine node itself. For example, an IP address is recommended to provide a source IP
address for dynamic routing daemons, for IGMP proxy, and for Protocol Independent Multicast - SparseMode (PIM-SM) configuration. If no IP address is added, traffic to and from the Tunnel Interface
automatically uses the Firewalls Default IP for Outgoing Traffic as its source address (stonesoft, 2014).
The mapping of Tunnel Interfaces to physical network interfaces on the engine is done
automatically by the engine operating system based on the routing configuration.
Routing protocols use metrics to evaluate what path will be the best for a packet to travel. A
metric is a standard of measurement, such as path bandwidth, that is used by routing algorithms to
determine the optimal path to a destination. To aid the process of path determination, routing algorithms
initialize and maintain routing tables, which contain route information. Route information varies depending
on the routing algorithm used.

SECURITY DEPLOYMENT PLAN

Routing algorithms fill routing tables with a variety of information. Destination/next hop
associations tell a router that a particular destination can be reached optimally by sending the packet to a
particular router representing the "next hop" on the way to the final destination. When a router receives an
incoming packet, it checks the destination address and attempts to associate this address with a next
hop.
It is important to know how to manage IP addresses and allocation properly, this is crucial to the
performance and expandability of GreenTrees new network. In defining which IP addresses will be on
which network, you are not only setting a standard but also one that may be difficult to change latter on.
You may also be limiting the size of your network if not careful, this is because IP networks/subnets have
limited dimensions.
The core problem with IP addressing lies in the IPv4 address exhaustion or decreasing supply of
unallocated Internet Protocol Version 4 (IPv4) addresses available at the Internet Assigned Numbers
Authority (IANA). IANA's primary address pool was exhausted on February 3, 2011. To remedy this
problem IPv6 was conceived, it is a redesigned Internet Protocol or next generation solution with a
maximum of 2128, or about 3.4031038 addresses. IPv6 is scheduled to replace IPv4; as of September
2013, the percentage of users reaching Google services over IPv6 surpassed 2% for the first time.
Addressing and routing can be considered separated architectures; however, they are closely
coupled in the network, so they are considered here as parts of a single architecture. Addressing,
however, does have elements at the link and physical layers (e.g., Ethernet addresses). Routing also has
its counterpartsbridging and switchingthat occur primarily at the physical, data link, and network
layers, but (switching) can occur at any layer in the protocol stack.
A network address is an identifier used to temporarily or persistently locate a device on a network,
in order to communicate with that device. For IP, addresses consist of an address identifier and an
associated mask, usually presented in dotted-decimal notation (Figure 6.1). An address mask identifies
which bits in the address are considered part of the network and (by default) which bits are considered
part of the device (Network Analysis Architecture and Design, 2007).

SECURITY DEPLOYMENT PLAN

For purposes of this discussion we will assume the use of IPv4 and the use of dynamic address
assignment for GreenTrees new network. Although there are other methods available dynamic address
assignment is most commonly used because it avoids the administrative burden of assigning specific
static addresses to each device on a network.
In order to provide the flexibility required to support different size networks, the designers
decided that the IP address space should be divided into three different address classes - Class A, Class
B, and Class C. This is often referred to as "classful" addressing because the address space is split into
three predefined classes, groupings, or categories. Each class fixes the boundary between the networkprefix and the host-number at a different point within the 32-bit address.

Class A Networks (/8 Prefixes)

Each Class A network address has an 8-bit network-prefix with the highest order bit set to 0 and a
seven-bit network number, followed by a 24-bit host-number. Today, it is no longer considered 'modern' to
refer to a Class A network. Class A networks are now referred to as "/8s" (pronounced "slash eight" or just
"eights") since they have an 8-bit network-prefix.
A maximum of 126 (27 -2) /8 networks can be defined. The calculation requires that the 2 is
subtracted because the /8 network 0.0.0.0 is reserved for use as the default route and the /8 network
127.0.0.0 (also written 127/8 or 127.0.0.0/8) has been reserved for the "loopback" function. Each /8
supports a maximum of 16,777,214 (224 -2) hosts per network. The host calculation requires that 2 is

SECURITY DEPLOYMENT PLAN

subtracted because the all-0s ("this network") and all-1s ("broadcast") host-numbers may not be assigned
to individual hosts.
Since the /8 address block contains 231 (2,147,483,648) individual addresses and the IPv4
address space contains a maximum of 232 (4,294,967,296) addresses, the /8 address space is 50% of
the total IPv4 unicast address space.

Class B Networks (/16 Prefixes)

Each Class B network address has a 16-bit network-prefix with the two highest order bits set to 10 and a 14-bit network number, followed by a 16-bit host-number. Class B networks are now referred to
as"/16s" since they have a 16-bit network-prefix.
A maximum of 16,384 (214) /16 networks can be defined with up to 65,534 (216 -2) hosts per
network. Since the entire /16 address block contains 230 (1,073,741,824) addresses, it represents 25% of
the total IPv4 unicast address space.
Class C Networks (/24 Prefixes)
Each Class C network address has a 24-bit network-prefix with the three highest order bits set to
1-1-0 and a 21-bit network number, followed by an 8-bit host-number. Class C networks are now referred
to as "/24s" since they have a 24-bit network-prefix.
A maximum of 2,097,152 (221) /24 networks can be defined with up to 254 (28 -2) hosts per
network. Since the entire /24 address block contains 229 (536,870,912) addresses, it represents 12.5%
(or 1/8th) of the total IPv4 unicast address space (andthatsjazz, 2014).
In consideration of this problem the time to properly size IP networks is when you initially design
the network. Of course the design is only as good as the information you have at hand, currently
GreenTree has about 50 users and devices that would put it in the Class C category. If you configure the
routers and design an IP address scheme using these numbers, you will assign a Class C IP address to

SECURITY DEPLOYMENT PLAN

this network. If however at a later date the device count needs to go up to 400 or 500 changes will have to
be made. There are a few choices that can be prepared to remedy this problem.
To size the network properly in the beginning one can use something called the hosts formula.
This formula says that for the number of zeros in the subnet mask when converted to binary, take 2 to
the power of that number, minus 2, and you will see the number of possible hosts when using that subnet
mask. This can be done on a sub netting calculator, of course, or with the help of handy sub netting
charts.
If possible, it is important to know where your company is going with this location -- meaning, how
many networked devices will be at this site? Don't forget to include laser printers, servers and other
networked managed devices (UPS systems, for instance).
Once you know that, you need to try to find out what the expected growth is for this site. Will the
number of devices eventually double? Often, this can be limited by the physical size of the office. If all
you have is a small lot with a single building, and every office is already filled with a PC, there isn't
physical space to add many more devices (searchenterprisewan, 2014). The recommendation for Mega
Corp is a Class B network that will provide 65,536 addresses, this along with private networking should
provide everything needed for the foreseeable future.
Private networking (RFC1918), enables one to have many IP addresses available for internal
use. To access the Internet from those IP addresses, one must perform network address translation
(NAT). Network Address Translation (NAT) is a network protocol used in IPv4 networks that allows
multiple devices to connect to a public network using the same public IPv4 address. NAT was originally
designed in an attempt to help conserve IPv4 addresses (Wikipedia, 2014}.
NAT modifies the IP address information in IPv4 headers while in transit across a traffic routing
device. This presents some drawbacks in terms of the quality of Internet connectivity and requires careful
attention to the details of its implementation. In particular, all types of NAT break the originally envisioned
model of IP end-to-end connectivity across the Internet and NAPT makes it difficult for systems behind a
NAT to accept incoming communications. As a result, NAT traversal methods have been devised to

SECURITY DEPLOYMENT PLAN

10

alleviate the issues encountered. NAT has become a common, indispensable feature in routers for home
and small-office Internet connections.
The other alternative is something called CIDR or Classless Inter-Domain Routing. It is a method
for allocating IP addresses and routing Internet Protocol packets. The Internet Engineering Task Force
introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the
Internet. Its goal was to slow the growth of routing tables on routers across the Internet, and to help slow
the rapid exhaustion of IPv4 addresses (Wikipedia, 2014).
CIDR is a method of notation wherein a compact representation of the IP addresses and its
routing prefix are represented. By using variable-length subnet masking (VLSM) allows a network to be
divided into variously sized subnets, providing the opportunity to size a network more appropriately for
local needs.
Device configuration troubleshooting activities can be defined and managed through Cisco
Security Manager. It enables management of security policies on Cisco devices in large, medium, or small
networks. It is configurable to manage anywhere from a few devices to several thousand.
Security Manager also supports provisioning of many platform-specific settings, for example,
interfaces, routing, identity, QoS, and logging. Security Manager efficiently manages a wide range of
networks, from small networks consisting of a few devices to large networks with thousands of devices.
Scalability is achieved through a rich feature set of shareable objects and policies and device grouping
capabilities (Cisco, 2014).
Security manager can be configured for multiple views that can be optimized for different cases
and platform specific cases. It can provide device grouping and enables you to monitor, view, and
examine events on your network.

SECURITY DEPLOYMENT PLAN

Security Deployment Infrastructure Diagram

11

SECURITY DEPLOYMENT PLAN

12
References

Andthatsjazz, (2014) Retrieved May 2 from

http://andthatsjazz.org/wbglinks/pages/reads/misc/ip.html
Cisco, (2014). Retrieved May 2, 2014 from
https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/
ccmigration_09186a0080759487.pdf
Cisco, (2014). Retrieved May 2, 2014, from
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/
security_manager/4-1/user/guide/CSMUserGuide_wrapper.html
Global Privacy Book, (2014). Retrieved May 2, 2014 from
http://www.globalprivacybook.com/
Network Analysis Architecture and Design, (2007). Retrieved May 2, 2014 from
http://site.ebrary.com.library.capella.edu/lib/capella/docDetail.action?docID=10188254
Searchenterprisewan, (2014) Retrieved May 2, 2014 from
http://searchenterprisewan.techtarget.com/tip/Managing-IP-address-allocation-during-networkexpansion
Stonesoft, (2014). Retrieved May 2, 2014 from
http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.4.2/SGAG/
SGOH_InterfaceConfiguration/Defining _Tunnel_Interfaces.htm
Wikipedia, (2014) Retrieved May 2, 2014 from
http://en.wikipedia.org/wiki/Network_address_translation

SECURITY DEPLOYMENT PLAN

Wikipedia, (2014) Retrieved May 2, 2014 from http://en.wikipedia.org/wiki/Classless_InterDomain_Routing

13